[Zope] Zope/PostgreSQL/PoPy. Solution v0.0.1. Author: Jim Penny
Russell Hires
rhires@earthlink.net
Fri, 24 Aug 2001 08:16:00 -0400
On Friday 24 August 2001 05:03, you wrote:
> Hello again. I=B4m at work now and I=B4ve tried some codes. Sorry again=
, I=B4m
> spanish and my english is quite bad.
You english is as good as any on this list. Don't be so hard on yourself.=
No=20
one can hear you accent in cyberspace <;-D
> > > > does select from Departments where name=3D'<dtml-var name sql_quo=
te>'=20
> > > > work?
> OK! It works successfully! And it seems to be a good solution. Because:
Yes, it works for me as well...though I did something a little different:=
I=20
simply did this: '<dtml-var name sql_quote>' as part of my code.=20
> "<< sql_quote
> Converts single quotes to pairs of single quotes. This is needed to
> safely include values in SQL strings. >>". From Zope Help System, DTML
> Reference, var.
I'm glad somebody found this. I wouldn't have thought to look there...
> But, Why doesn=B4t <dtml-sqlvar name type=3Dstring> work?. I think ever=
yone of
> us want to know.
You got that right! What a puzzle....
> > This is not suitable for production code, due to security reasons.
> > does select from Departments where name=3D'<dtml-var name>'
> > work?
> Yes, it works too. But we have the security problem.
So I guess that name=3D'<dtml-var name sql_quote>' is secure, but=20
name=3D'<dtml-var name>' is not.=20
So far, so good. I also tried out the psycopg (as in crazy? What's up wit=
h=20
that? :-) db adapter that Tom Jenkins suggested at=20
http://initd.org/Software/psycopg/. It works just fine with everything th=
e=20
"original" way.=20
Thanks for the help everyone...
Russell